Kentucky e-voting fraud manipulated voters, not machines

Six people have been indicted in a Kentucky scandal that involves rigging an …

This past Friday brought news of a handful of indictments of elections officials in Kentucky who are alleged to have rigged elections in 2002, 2004, and 2006 by changing votes in electronic voting machines. The group of five officials (plus one non-official) is charged with a list of crimes including manipulating the vote totals in electronic voting machines, certifying elections that they knew to be rigged, and arranging for votes to be sold. Remarkably, the vote manipulation technique here was essentially an exploit of a simple UI design flaw, and involved no computer skills at all on the part of the alleged perpetrators.

Most of the charges outlined in the indictment [PDF] are for old-school, non-electronic crimes like racketeering, extortion, mail fraud, and so on. But even the e-voting part, believe it or not, was incredibly low-tech and didn't involve any of the well-known exploits documented for the ES&S iVotronic machines that were used.

Voting on the electronic machines used in the fraud involves a few basic steps:

Go through and pick your candidates using the touchscreen

Press the "Vote" button that appears on the touchscreen

Review the slate of candidate selections one final time on a special review screen to make sure that you don't want to change any thing. (If you do, you can go back from here).

Actually cast your vote by pressing the "Cast ballot" button.

Pages 15 and 16 of the indictment describe how the vote stealing was carried out; here's how it worked:

Two of the folks involved allegedly told voters that pressing the "Vote" button would actually cast their ballot, so that they would leave the booth right after pressing it and with their ballot still uncast. So when voters left the booth after pressing "Vote," these two guys would go into the booth behind them and change their votes before casting the final, now-altered ballot.

Clearly, no audit—mandatory or otherwise—would've caught this fraud, because it relied on the best and most reliable tool in the hacker's arsenal: good, old-fashioned "social engineering."

This entire incident says less about the perils of e-voting than it does about human nature, but this isn't to say that the e-voting vendor is entirely off the hook. Better documentation for the public and better UI design would've probably thwarted this particular fraud, but then again, the fraudsters might well have figured out another low-tech trick for stealing votes. If the folks actually running the process are determined to be corrupt, there isn't much you can do.

Among the six people indicted were a circuit court judge, two elections officers, and a county clerk. The conspiracy was apparently bipartisan, and looks to have been aimed more at increasing the personal fortunes of the co-conspirators by placing them in local positions of influence than at enhancing any one national party's standing.